In a significant development for the cybersecurity landscape, the masterminds behind the Kimwolf botnet, a sophisticated threat that has already compromised over two million devices, have seemingly gained access to the control panel of Badbox 2.0, a vast botnet originating from China and powered by malware pre-installed on numerous Android TV streaming boxes. This alleged infiltration, revealed through a shared screenshot by the Kimwolf operators, provides crucial new insights into the individuals potentially orchestrating the Badbox 2.0 network, a subject of ongoing investigation by both the FBI and Google.

The Kimwolf botnet, first detailed in a KrebsOnSecurity report in early 2026, is known for its highly invasive propagation methods, predominantly targeting unofficial Android TV boxes marketed for illicit streaming services. These devices, often sold for a one-time fee, represent a significant vector for Kimwolf’s expansion. Previously, in January 2026, multiple sources identified the administrators of Kimwolf by the aliases "Dort" and "Snow." The recent revelation centers on a screenshot, purportedly taken by the Kimwolf operators while logged into the Badbox 2.0 control panel. This image displays seven authorized users, with one account, labeled "ABCD," standing out. According to the source who provided the screenshot, this "ABCD" account, actively logged in and displayed prominently, belongs to "Dort," who apparently managed to add their email address as a legitimate user of the Badbox 2.0 botnet.

The history of Badbox 2.0 predates Kimwolf’s emergence in late 2025. In July 2025, Google initiated a "John Doe" lawsuit against 25 unidentified defendants, accusing them of operating Badbox 2.0. Google described it as a botnet comprising over ten million unauthorized Android streaming devices, primarily engaged in advertising fraud. The company highlighted that Badbox 2.0 not only compromises devices before purchase but can also infect them through malicious applications downloaded from unofficial marketplaces. This legal action followed a June 2025 advisory from the Federal Bureau of Investigation (FBI). The FBI’s warning detailed how cybercriminals were infiltrating home networks by either pre-installing malware on devices or embedding backdoors in required applications during the setup process. The FBI noted that Badbox 2.0 surfaced after the disruption of the original Badbox campaign in 2024, which itself was identified in 2023 and primarily involved Android TV boxes compromised with backdoor malware before sale.

Initially, KrebsOnSecurity expressed skepticism regarding the claim of Kimwolf botmasters hacking the Badbox 2.0 network. However, a deeper investigation into the email addresses present in the shared screenshot began to reveal a compelling connection.

CATHEAD

One of the email addresses visible in the screenshot is "[email protected]," associated with the username "Chen." A search for this email address links it to several China-based technology companies, including Beijing Hong Dake Wang Science & Technology Co Ltd., Beijing Hengchuang Vision Mobile Media Technology Co. Ltd., and Moxin Beijing Science and Technology Co. Ltd. The website for Beijing Hong Dake Wang Science, asmeisvip[.]net, was identified in a March 2025 report by HUMAN Security as a site involved in the distribution and management of the Badbox 2.0 botnet. Similarly, moyix[.]com, a domain linked to Beijing Hengchuang Vision Mobile, was also flagged in the same report.

Further investigation through the breach tracking service Constella Intelligence revealed that the email address [email protected] had previously used the password "cdh76111." Pivoting on this password in Constella’s database uncovered two other email accounts that had used the same password: [email protected] and [email protected]. Constella also found that [email protected] was used to register an account on JD.com, China’s largest online retailer, in 2021 under the name "Chen Daihai." DomainTools.com records indicate that the name Chen Daihai is present in the original registration details (dating back to 2008) for moyix[.]com, alongside the email address cathead@astrolink[.]cn. Notably, astrolink[.]cn is also among the domains identified by HUMAN Security in their 2025 report on Badbox 2.0. DomainTools data shows that cathead@astrolink[.]cn was used to register over a dozen domains, including vmud[.]net, another domain linked to Badbox 2.0 by HUMAN Security.

XAVIER

A cached version of astrolink[.]cn from archive.org reveals it belongs to a mobile app development company named Beijing Astrolink Wireless Digital Technology Co. Ltd. An archived "Contact Us" page from 2007 lists Chen Daihai as a member of the company’s technology department. The other individual featured on that page is Zhu Zhiyu, whose email address is listed as xavier@astrolink[.]cn.

The Badbox 2.0 control panel includes a user named "Mr.Zhu" who utilizes the email address [email protected]. A search for this email address in Constella links it to a JD.com account registered under the name Zhu Zhiyu. Furthermore, a distinctive password used by this account is identical to the password used by [email protected], which DomainTools identifies as the original registrant of astrolink[.]cn.

ADMIN

The first account listed in the Badbox 2.0 control panel, "admin," registered in November 2020, used the email address [email protected]. DomainTools records show this email address is associated with the 2022 registration of the domain guilincloud[.]cn, listing the registrant as "Huang Guilin." Constella Intelligence connects [email protected] to the Chinese phone number 18681627767. The open-source intelligence platform osint.industries reveals that this phone number is linked to a Microsoft profile created in 2014 under the name Guilin Huang. The cyber intelligence platform Spycloud indicates that this phone number was used in 2017 to create a Weibo account under the username "h_guilin."

The remaining three users listed in the Badbox 2.0 control panel, along with their corresponding QQ.com email addresses, were all connected to individuals in China. However, none of these individuals, nor Mr. Huang, exhibited any apparent links to the entities created and operated by Chen Daihai and Zhu Zhiyu, nor to any other identifiable corporate entities. Attempts to contact these individuals for comment were unsuccessful.

A comprehensive mind map, compiled from search pivots on the email addresses, company names, and phone numbers, strongly suggests a connection between Chen Daihai, Zhu Zhiyu, and the Badbox 2.0 botnet.

The notion that Kimwolf operators could have direct access to the Badbox 2.0 botnet is significant, primarily due to Kimwolf’s unique propagation mechanism. The botmasters discovered a method to exploit residential proxy services, leveraging them to relay malicious commands to vulnerable devices residing behind the firewalls of unsuspecting users on local networks. The primary targets for Kimwolf are Internet of Things (IoT) devices, particularly unsanctioned Android TV boxes and digital photo frames, which often lack any built-in security or authentication. This means that any device capable of communication is susceptible to compromise with a single command.

Previous research from the proxy-tracking firm Synthient highlighted that 11 different residential proxy providers were vulnerable to abuse for local network probing and exploitation. While many of these providers have since implemented measures to prevent such upstream access into customer local networks, the alleged access to the Badbox 2.0 control panel presents a new avenue for Kimwolf’s expansion.

The source who provided the Badbox 2.0 screenshot indicated that the Kimwolf botmasters possessed an "ace up their sleeve" all along: covert access to the Badbox 2.0 botnet control panel. "Dort has gotten unauthorized access," the source stated. "So, what happened is normal proxy providers patched this. But Badbox doesn’t sell proxies by itself, so it’s not patched. And as long as Dort has access to Badbox, they would be able to load” the Kimwolf malware directly onto TV boxes associated with Badbox 2.0.

The exact method by which Dort gained access to the Badbox botnet panel remains unclear. However, it is highly probable that Dort’s existing account will not remain operational for long. Upon sending notifications to the QQ.com email addresses listed in the control panel screenshot, including a copy of the image and inquiries about the seemingly rogue "ABCD" account, a response was received.